In the dynamic landscape of cybersecurity, the year 2023 has brought forth noteworthy security incidents, introducing new and complex threats that have impacted various organizations. Play ransomware and RansomHouse have taken center stage this year, each using strategies that have kept security professionals on high alert.
Emerging in June 2022, Play ransomware has impacted organizations worldwide, using big game hunting tactics and tools like Cobalt Strike and SystemBC RAT. RansomHouse has targeted entities such as the Saskatchewan Liquor and Gaming Authority, multinational corporations like Advanced Micro Devices (AMD), and the healthcare giant Keralty. The group's unconventional approach has disrupted operations and left a financial impact on its victims.
Alongside significant threat actors, this year witnessed the exploitation of notable vulnerabilities. In the third quarter, the ransomware gang Cl0p exploited Progress Software's MOVEit file transfer vulnerabilities. Before this, they also targeted PaperCut servers, alongside LockBit. Also, let's not overlook the numerous zero-day vulnerabilities and discussions about the future of generative Artificial Intelligence (AI). Let’s explore this year's most discussed cyber threats and anticipate what organizations can expect in 2024.
Play ransomware, also known as PlayCrypt, made its debut in June 2022, swiftly impacting organizations worldwide. With a primary focus on Latin America, especially Brazil, Play has demonstrated big game hunting tactics, utilizing tools like Cobalt Strike and SystemBC RAT for persistence. Notably, their recent exploitation of ProxyNotShell vulnerabilities in Microsoft Exchange has added to their arsenal. Researchers suspect a connection between Play and the ransomware groups Hive and Nokoyawa, pointing to shared tactics and techniques.
Notable Incidents & Tactics
Play gained attention after victims reported attacks on Bleeping Computer forums, with targets including Argentina’s Judiciary of Cordoba. The attack forced the Judiciary to shut down IT systems, signaling the severity of Play's impact. The ransomware, identified by the .play extension and a simplistic note, shows an unusual level of simplicity. Furthermore, Play has been observed leveraging ProxyNotShell vulnerabilities, demonstrating a high degree of sophistication in their tactics. The threat actor's connections to Hive, Nokoyawa, and even Quantum ransomware suggest a complex web of affiliations.
RansomHouse, emerging in December 2021, stands out as a unique threat in the cybercrime landscape. Despite its name, it strays from typical ransomware operations, operating as a data-extortion group. Instead of encrypting systems, RansomHouse focuses on breaching networks through vulnerabilities, opting to request payment for stolen data rather than deploying traditional ransomware tactics.
Noteworthy Incidents and Defense Strategies
RansomHouse's targets range from the Saskatchewan Liquor and Gaming Authority to global entities like Advanced Micro Devices (AMD), Keralty, and even the government of Vanuatu. The group distinguishes itself by avoiding encryption, choosing a manual, one-victim-at-a-time approach. Public shaming is a key tactic; if a victim refuses to pay, RansomHouse publishes a portion of their data, aiming to tarnish the organization's reputation. Interestingly, RansomHouse criticizes poor security practices, as seen in their attack on AMD, suggesting a potential connection to disgruntled white-hat hackers. Negotiations with victims involve providing breach reports and promising data deletion.
In February 2023, Avertium published a Qakbot case study highlighting their QakNote campaign. The campaign case, like in other cases, began when a malicious email with a OneNote attachment was sent to a client’s administrative assistant. The assistant double-clicked on the OneNote attachment as instructed, which looked like it contained information about a meeting cancellation, but the attachment was actually laced with malware.
Qakbot was successful with attacks until the summer of 2023 when they faced disruption through the "Duck Hunt" operation led by the US Department of Justice. Despite the successful seizure of 52 servers and the removal of the malware loader from over 700,000 victim computers globally, the cybercriminals behind Qakbot have launched a new campaign targeting the hospitality sector.
Qakbot Resurfaces
Unfortunately, in December 2023, Qakbot resurfaced. Microsoft's threat analysts identified this resurgence on December 11, with a phishing email masquerading as an IRS employee and containing a PDF named GuestListVegas.pdf. The PDF contained a URL leading to the download of a digitally signed Windows Installer (.msi), executing the Qakbot malware. This resurgence is particularly alarming due to phishing being an easy attack vector.
Despite a recent disruption by the US Department of Justice, the cybercriminals behind Qakbot have quickly launched a new phishing campaign, demonstrating their determination and agility in evading previous takedowns. Qakbot is often disseminated through phishing, utilizing tactics like malicious emails from new or hijacked addresses, with the reuse of existing email conversations being particularly effective, as it appears trustworthy. It is important for organizations to remain vigilant, providing their employees with the proper training to quickly spot and thwart a phishing attempt.
In addition to Qakbot resurfacing, Winter Vivern also resurfaced in 2023. In late February 2023, cybersecurity intelligence firms Recorded Future and Google’s TAG issued warnings about Russia's plans to escalate cyber attacks against Ukraine. Google’s TAG team expressed high confidence that Moscow would intensify disruptive and destructive attacks in 2023, particularly if the military situation significantly favors Ukraine. Predictions suggested that Russian hacktivists might support military efforts through cyber warfare, targeting regions in Ukraine not overtaken by physical force and potentially extending attacks to NATO countries.
Winter Vivern Exploits Zimbra Vulnerability
This year, the Russian APT Winter Vivern, also known as TA473 and UAC-0114, exploited a Zimbra software vulnerability (CVE-2022-27926) in an ongoing cyber espionage campaign. The medium-severity vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript or HTML code. Exploiting this flaw involves using tools like Acunetix to identify unpatched webmail portals, particularly in specific organizations, for the purpose of sending phishing emails impersonating government entities.
Linked to the goals of the Belarusian and Russian governments, Winter Vivern, recognized for phishing campaigns using replicated official documents, targeted state authorities in Ukraine and Poland, along with officials in India, Lithuania, the U.S., Slovakia, and the Vatican.
Winter Vivern may use simple tactics, but their powerful tools and ability to stay hidden make them a serious threat.
Mirai, an IoT-targeting malware botnet, was known to exploit vulnerabilities in devices running a simplified Linux version on ARC processors. It reached its peak in 2016, infecting over 600,000 devices like home routers and surveillance cameras. Acting as a self-propagating worm, Mirai used default credentials and a brute-force approach, demonstrating its potency with powerful distributed denial-of-service (DDoS) attacks. Despite the FBI's arrest of its creators in 2019, Mirai's open-source code allowed the development of new threats.
Mirai Returns as HinataBot
In March 2023, HinataBot, a Golang-based malware, surfaced as a successor to Mirai. Believed to be created by former Mirai hackers, HinataBot exploits vulnerabilities, spreads through various techniques, and surpasses Mirai's potency. Written in Golang, it exhibits advanced features, making it challenging to analyze. This choice of language showcases how threat actors are adopting new approaches to writing malware, taking advantage of Golang's performance, multi-threading capabilities, cross-compilation support, and the ability to add complexity during compilation.
HinataBot's power is considered to eventually surpass Mirai's. In a brief trial attack, researchers found that with only 1,000 nodes, HinataBot could generate UDP flood traffic at approximately 336 Gbps per second, showcasing its potential for intense attacks. It is important to maintain password policies, timely patching, and vigilance in monitoring and securing IoT devices, given that such devices remain attractive targets for botnets and DDoS attacks.
What Do These Botnets Have in Common?
In 2023, ransomware groups strategically shifted away from traditional encryption-focused attacks, opting for data extortion tactics instead. This evolution is a significant threat as threat actors now exfiltrate sensitive information before encrypting it, leveraging the fear of data exposure to pressure victims. While the demand for ransom still exists, the primary focus has moved from locking access to data to threatening its exposure, representing a departure from previous approaches.
Data Extortion
Several ransomware groups, such as 8Base, BianLian, Karakurt, and Cl0p, have embraced data extortion strategies. These groups target various sectors, compromising organizations' networks, stealing valuable data, and threatening to expose or sell it unless a ransom is paid.
In December 2023, 8Base targeted four new victims, expanding its data-extortion cybercrime operations to include three American companies – Davis, Cedillo & Mendoza, Inc. (specializing in business litigation), Employ Milwaukee (involved in workforce development), and Horizon Spa & Pool Parts (pool and spa components distribution) – along with Canadian firm Socadis (book industry). 8Base strategically attacked the backend, containing critical information such as databases and server details.
The shift from encryption to data extortion is attributed to increased profitability, enhanced leverage over victims, reduced technical barriers, a broader range of potential targets, easier monetization, and heightened fear among victims - making it a psychologically effective tactic for ensuring compliance.
What Do These Groups Have in Common?
In April 2023, threat actors exploited two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, in the widely used PaperCut print management software. Despite PaperCut issuing patches, some organizations failed to upgrade, which made them vulnerable to attacks. Cl0p and LockBit, known for swift exploitation, targeted these vulnerabilities. Meanwhile, the Iranian APT MuddyWater and later the Bl00dy ransomware group also exploited the same weaknesses. The attackers gained unauthorized access, exfiltrated sensitive data, and, in some cases, deployed ransomware.
PaperCut's first vulnerability, CVE-2023-27350, with a critical CVSS score, allowed unauthenticated attackers to execute Remote Code Execution (RCE) on PaperCut Application Servers. The second, CVE-2023-27351, allowed for unauthenticated information disclosure. Exploiting these, Cl0p and LockBit used Atera and Syncro as backdoors, deploying TrueBot downloader linked to Silence cybercrime group. The Bl00dy ransomware group exploited the vulnerabilities in the Education Facilities Subsector, bypassing user authentication and executing remote commands, leading to data exfiltration and encryption.
In June 2023, the MOVEit file transfer software faced more zero-days (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708), targeted by Cl0p ransomware. Progress Software's patches couldn't prevent immediate exploitation. The class-action lawsuit against Progress Software highlighted the company’s alleged negligence. The fallout impacted organizations globally, including the New York City Department of Education, Schneider Electric, Siemens Energy, and UCLA. The MOVEit attacks continued to unfold for months after initial exploitation.
What Do These Vulnerabilities Have in Common?
In 2023, Microsoft faced an onslaught of vulnerabilities, with attackers consistently targeting its products. During Microsoft's August 2023 Patch Tuesday, the company addressed two zero-day vulnerabilities, CVE-2023-36884 and CVE-2023-38180. Both were exploited in cyberattacks, and one, CVE-2023-36884, allowed attackers to craft Microsoft Office documents to bypass security features, allowing remote code execution. The Russian threat actor Storm-0978, now rebranded as 'Underground,' actively exploited this vulnerability, continuing its ransomware operations.
Another actively exploited vulnerability, CVE-2023-38180, potentially leading to Distributed Denial of Service (DDoS) attacks on .NET applications and Visual Studio, was also patched. This vulnerability does not require the attacker to have acquired user privileges on the target system, posing a significant threat within the same network.
In a separate security update, Microsoft addressed high severity and critical vulnerabilities, including CVE-2023-29357, CVE-2023-32014, and CVE-2023-32015, affecting Windows Pragmatic General Multicast (PGM) and Microsoft SharePoint Server. While unexploited, these vulnerabilities, with a CVSS score of 9.8, were still a significant risk.
Additionally, a severe remote code execution vulnerability (CVE-2023-21716) in Microsoft Word, allowed attackers to execute code via specially crafted RTF documents. A public proof-of-concept (PoC) exploit heightened the urgency for organizations to patch immediately.
The challenges continued in December 2023, as Microsoft patched three zero-day vulnerabilities (CVE-2023-21715, CVE-2023-21823, and CVE-2023-23376) being actively exploited. CVE-2023-21715 involved a Microsoft Publisher Security Feature bypass, allowing attackers to override macro policies. CVE-2023-21823, targeting Windows Graphics Component, and was an elevation of privilege threat.
The final noteworthy vulnerability, CVE-2023-23376, found in Windows Common Log File System (CLFS) driver, had severe consequences for the system's security and reliability. Attackers exploited these vulnerabilities, emphasizing the need for users to apply patches promptly.
What Do These Vulnerabilities Have in Common?
In 2022, Okta Inc., a global authentication company, suffered a breach by the data extortion group Lapsus$ - the group stayed in Okta’s systems for two months before they were noticed. In November 2023, Okta faced another breach involving a threat actor leveraging stolen credentials to infiltrate its support case management system.
The threat actor accessed files from specific Okta customers involved in recent support cases. BeyondTrust Corp. reported an identity-centric attack on October 2, receiving no acknowledgment from Okta until October 19. Cloudflare Inc. detected attacks on October 18 traced back to Okta, expressing concerns about Okta's response time. 1Password also detected suspicious activity on September 29 but promptly terminated it. This marks Okta's second breach within a two-year span, with the 2022 Lapsus$ breach involving stolen internal documents. That breach was allegedly not disclosed by Okta Inc. in a timely manner.
The recent security breaches at Okta, coupled with concerns about the delayed disclosure, provide a timely introduction to the potential impact of the Security and Exchange Commission's (SEC) new rules for businesses.
In 2023, the SEC proposed cybersecurity disclosure regulations aimed at enhancing transparency for public companies. The regulations require consistent reporting of material cybersecurity incidents, disclosure of policies, and procedures for managing cybersecurity risks, as well as annual reporting on the board's cybersecurity expertise.
Two notable regulations focus on prompt reporting of breaches, requiring disclosure within 48 hours of discovery, and increased scrutiny of board members' cybersecurity expertise and oversight. These changes aim to keep investors informed and hold companies accountable. Despite potential costs and reputational risks, the SEC emphasizes transparency. The final rule, passed on July 26, 2023, mandates disclosure of significant cybersecurity incidents and annual reporting on cybersecurity risk management and governance by public companies.
In 2023, the integration of artificial intelligence (AI), especially generative AI like ChatGPT, became a big part of our daily lives. AI offers convenience but also raises concerns about privacy and data security. This year, a notable data breach related to ChatGPT exposed user information. This event sparked a much-needed debate on striking the balance between using generative AI for efficiency while still maintaining user privacy.
Initially, there were worries about AI being used for cyberattacks, but the focus shifted to the technology itself. Regulatory responses, such as JPMorgan Chase restricting employee use of AI, highlighted privacy issues. Some countries even temporarily banned certain AI tools due to concerns about age verification and data security. Using AI tools in everyday tasks, like work emails, can unintentionally expose sensitive data. To balance AI's benefits with security, organizations need clear policies, employee training, and regular checks to protect data and privacy.
While there are risks, developers are working on safety measures, and regulations aim to address privacy concerns, emphasizing a balanced approach that maximizes AI benefits while minimizing security risks.
Concluding the cybersecurity landscape of 2023, the year witnessed a surge in advanced threats, with data extortion gaining prominence. The activity of the Russian threat actor Storm-0978, exploiting a Microsoft Office and Windows HTML vulnerability, targeted defense and government entities, shows evolving tactics of threat actors.
While some anticipated trends, such as heightened Russian cyber activity post the Russia-Ukraine conflict, aligned with expectations, others, including ransomware patterns and Log4J vulnerabilities, took unexpected turns and didn’t come to fruition as expected. In 2023, the dynamic cybersecurity environment emphasized the need for adaptive defenses, continuous awareness, and collaborative efforts to counter emerging threats, particularly in the realm of data extortion.
AI and Cybersecurity: Is There a Balance Between AI and Privacy? (avertium.com)
End of the Year Recap and What to Expect for 2023 (avertium.com)
An In-Depth Look at Mirai & HinataBot (avertium.com)
2022 in review: DDoS attack trends and insights | Microsoft Security Blog
Mirai Botnet Shows Just How Vulnerable the IoT Really Is – IoT Security Foundation
APT Winter Vivern Resurfaces (avertium.com)
Winter Vivern Uses Zimbra Vulnerability to Target NATO Email | Proofpoint US
Analyzing Embedded Files in Malicious OneNote Documents (avertium.com)
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry (thehackernews.com)
An In-Depth Look at Play Ransomware (avertium.com)
RansomHouse attack compromises AvidXchange | SC Media (scmagazine.com)
Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (bleepingcomputer.com)
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)
Everything You Need to Know About the Data Extortion Group, RansomHouse (avertium.com)
Keralty ransomware attack impacts Colombia's health care system (bleepingcomputer.com)
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers (welivesecurity.com)
Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices (therecord.media)
Okta admits hackers accessed data on all customers during recent breach | TechCrunch
Ransomware Groups Pivoting Away from Encryption (avertium.com)
8BASE Ransomware Attack Hits American, Canadian Companies (thecyberexpress.com)
A Deeper Look into the PaperCut Vulnerabilities (avertium.com)
Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG | CISA
MOVEit Postmortem (avertium.com)
MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023 | TechCrunch
Flash Notice: Microsoft Patches Several Zero-Day Vulnerabilities (avertium.com)
Understanding Business Email Compromise (BEC) - A Guide (avertium.com)
Flash Notice: Microsoft Zero-Day Exploited by Russian Threat Actor (avertium.com)
Microsoft Patches Zero-Days Impacting Microsoft Office and Windows (avertium.com)
Okta says hackers stole data for all customer support users in cyber breach | Reuters
How the SEC's Proposed Security Rules Could Impact Businesses (avertium.com)
End of the Year Recap and What to Expect for 2023 (avertium.com)
A Closer Look at QakBot (avertium.com)
An In-Depth Look at Play Ransomware (avertium.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.